Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.

2012-01-27 09:44:08 +01:00 · 2012-01-27 09:44:08 +01:00 · 374b4ea9da
parent 64b2b6a84d d358e0554b
commit 374b4ea9da
2 changed files with 5 additions and 1 deletions
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -90,6 +90,9 @@ Core and Builtins
 Library
 -------

+- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+  IV attack countermeasure.
+
 - Issue #6631: Disallow relative file paths in urllib urlopen methods.

 - Issue #13781: Prevent gzip.GzipFile from using the dummy filename provided by
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -369,7 +369,8 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
    }

    /* ssl compatibility */
-    SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
+    SSL_CTX_set_options(self->ctx,
+                        SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);

    verification_mode = SSL_VERIFY_NONE;
    if (certreq == PY_SSL_CERT_OPTIONAL)